From b3f724c7999142078903aca830e693dcf0d7a08a Mon Sep 17 00:00:00 2001
From: Aeledfyr <45501007+Aeledfyr@users.noreply.github.com>
Date: Mon, 30 Nov 2020 11:45:59 -0600
Subject: [PATCH] Hotfix: fix version delete permissions and CORS allowed
 methods (#107)

---
 src/main.rs            |  2 +-
 src/routes/versions.rs | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 65ff1e8e..8e5f1704 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -280,7 +280,7 @@ async fn main() -> std::io::Result<()> {
     // Init App
     HttpServer::new(move || {
         let mut cors = Cors::new()
-            .allowed_methods(vec!["GET", "POST"])
+            .allowed_methods(vec!["GET", "POST", "DELETE", "PATCH", "PUT"])
             .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
             .allowed_header(http::header::CONTENT_TYPE)
             .max_age(3600);
diff --git a/src/routes/versions.rs b/src/routes/versions.rs
index 10dcc9e2..31b2b0f3 100644
--- a/src/routes/versions.rs
+++ b/src/routes/versions.rs
@@ -493,18 +493,18 @@ pub async fn version_delete(
     let user = get_user_from_headers(req.headers(), &**pool).await?;
     let id = info.into_inner().0;
 
-    if user.role.is_mod() {
+    if !user.role.is_mod() {
         let version = database::models::Version::get(id.into(), &**pool)
             .await
             .map_err(|e| ApiError::DatabaseError(e.into()))?
             .ok_or_else(|| {
-                ApiError::InvalidInputError("Invalid Version ID specified!".to_string())
+                ApiError::InvalidInputError("An invalid version ID was specified".to_string())
             })?;
         let mod_item = database::models::Mod::get(version.mod_id, &**pool)
             .await
             .map_err(|e| ApiError::DatabaseError(e.into()))?
             .ok_or_else(|| {
-                ApiError::InvalidInputError("Invalid Version ID specified!".to_string())
+                ApiError::InvalidInputError("The version is not attached to a mod".to_string())
             })?;
         let team_member = database::models::TeamMember::get_from_user_id(
             mod_item.team_id,
@@ -513,14 +513,18 @@ pub async fn version_delete(
         )
         .await
         .map_err(ApiError::DatabaseError)?
-        .ok_or_else(|| ApiError::InvalidInputError("Invalid Version ID specified!".to_string()))?;
+        .ok_or_else(|| {
+            ApiError::InvalidInputError(
+                "You do not have permission to delete versions in this team".to_string(),
+            )
+        })?;
 
         if !team_member
             .permissions
             .contains(Permissions::DELETE_VERSION)
         {
             return Err(ApiError::CustomAuthenticationError(
-                "You don't have permission to delete versions in this team".to_string(),
+                "You do not have permission to delete versions in this team".to_string(),
             ));
         }
     }